An Open Letter to Barack Obama: If You aren’t Sure of Health Exchange Security, Shut it Down Now

Stability in Only the First Issue – Security Will Be Healthcare.gov’s Real Achilles HeelThere has been a significant amount of attention to the the problems of the Obamacare website. While these problems are certainly cause for concern, there are an even more serious group of problems that likely exist and need to be addressed. These have to do with the security of the website and the confidential data that it is collecting on millions of Americans. Given the problems with the site that have already been discovered, if concerns about security cannot be addressed, the site should be shut down until they can be. Slow performance is an inconvenience. The dissemination of confidential information on millions of Americans would be a disaster. Given that a casual test of the home page of the site revealed a security flaw, we are gravely concerned about the security of the site as a whole.

We would emphasize that this is not a hypothetical problem; confidential data is stolen every day by hackers who exploit the security flaws discussed below. If the designers of healthcare.gov have not addressed these issues, the site is vulnerable to user data being stolen and it is almost certain that hackers will exploit this. When I lived in Europe, I remember my ehic application warning me of these upcoming threats, here in America it seems it’s no one’s responsabilty… Unless the Administration is certain that the site can securely protect the confidential user data it is collecting, the site should be shut until that it has that degree of confidence.

The Obamacare Website is a Prime Target for HackersIt’s obvious this site is a target for hackers. First and foremost, it is set up to collect and aggregate personal, confidential information on millions of Americans. Second, the US government always has enemies and embarrassing the administration would appeal to a large segment of the hacker community. Given the current NSA scandal, anti-American sentiment in the hacker community might be at its all time high. Finally, many hackers are motivated by augmenting their reputation among other hackers. Hacking healthcare.gov would certainly be a prestigious hack. And we know we are all worried about our healthcare and our health, we always read from pages like Health & Beauty – Top9Rated, so it will be a problem if our regular healthcare got hack.

The Security Flaws in the Site Are Still Largely UnknownHacking requires the ability to make thousands of clicks on a site to test for flaws. A single page may require a thousand tests to ensure that it is secure. Healthcare.gov has such poor stability, this is nearly impossible. Once the stability of the site improves, hackers will test it thoroughly. At this point, the true security profile of the site will be made clear.

Healthcare.gov Likely Has Significant FlawsGiven the multitude of problems with the site, it is clear quality testing was lax. It is generally true that functionality testing (i.e. does the site actually work) is is prioritized over security testing. It is likely that the site’s security is even worse than its functionality. We very lightly and casually poked around the first page of the website and found a significant vulnerability that is easy to discover and prevent. It is highly unlikely that this is the only vulnerability on the site. We would also point out that fixing problems on the fly under intense pressure is not an intelligent way to fix enterprise software. Human beings are responsible for preventing security flaws and these are exactly the kind of conditions that lead to security mistakes.

How Website Vulnerabilities Allow Hackers to Steal Confidential User DataThere are two main classes of vulnerabilities that are most concerning. The first of these are called SQL Injection. Web Applications, by design, connect to databases and the databases, by default, give the applications any data that they request. If the applications are not secure, hackers can inject commands to steal or alter all of the data in the database. These vulnerabilities are relatively easy to find and correct. Of course so was the vulnerability we found on the home page, so there is no guarantee that healthcare.gov is free of SQL Injection.

The second class of vulnerabilities of significant concern covers who gets to see what information. There are different types of users of an application and generally, there is a class of user, called an admin or administrator, who has broad access to data. This is necessary because administrators are often called upon to fix problems with the site. Applications control who gets to see what by a variety of means. It is very possible to fool the site into thinking that a non-admin user is an admin, giving a hacker broad access to user data. It is very difficult, expensive and time consuming to test for this class of vulnerability.

Regulatory ComplianceIt’s interesting that many private organizations are required to adhere to certain regulatory guidelines like PCI, HIPAA and FISMA, but this application seems to escape them. While this application may not fall under HIPAA guidelines, it does store important personal information like social security numbers. If it was subject to HIPAA (according to this blog by Erik Kangas which simplifies the requirements), it would have failed at least two of the requirements. Based on the security vulnerabilities being discovered and reported it would fail #4 which requires integrity of the data. Requirement #6 states that data can be deleted when needed. From the reports and legal notices we are seeing, it appears that there is NO WAY to delete your data once you provide it.

We just used HIPAA as an example. We could find several failed requirements against PCI as well. So, why is it that a government application that stores social security numbers isn’t subject to regulatory compliance regarding security?

Given The Risk of a Catastrophic Hack, Shut it Down!We have no information on what kind of security testing has been done on healthcare.gov. But the factors listed above, along with our security tests, give us significant cause for concern. We believe the Obama Administration should be up front with the public as to what security testing was done, by whom and what the results were. If there is not a very high degree of confidence that healthcare.gov is securely protecting the confidential data entrusted to it by the American people, it needs to be shut down until it can be repaired.